Device for protecting an electronic apparatus

ABSTRACT

A method and system to activate or deactivate modifiable features, the system comprising a protected device having a plurality of modifiable features and an identification means, a protective device for modifying the modifiable features of the protected device, wherein the protective device is adapted to be in selective in communication with the protected device and the protective device comprises a processor, a first memory in communication with the processor for storing a plurality of activation codes, a second memory in communication with the processor for storing a plurality of release programs corresponding to the activation codes.

BACKGROUND

The invention relates to a device for protecting an electronicapparatus, an installation, a system or the like against the use offunctions that can be executed via lockable programs or program partswhich device can be connected with the apparatus to be protected, aninstallation, a system or the like via an interface, whereas theprotective device is assigned an identification number and contains apreferably non-erasable memory, for example, an EEPROM, for the storingof at least one activation code which activation code can be compared tothe identification number, and a read-protected program memory for thestoring of at least one release program is provided which releaseprogram upon agreement of the activation code with the identificationnumber of the protective device is carried out.

Devices of this type which are also called dongle, security device,hardlock etc. serve for the protection of the individual functions ofthe computer software which are executed by programs or program parts.The software protection known so far is based on software and hardwaresolutions or on a combination of these.

Purely software solutions are typical for professional computer systemswhich are assigned an individual identification number, appearing onlyonce worldwide, of the Node-ID. The protected program runs only if forevery query code an appropriate answer code has been stored in thesystem. Prior to the execution of the program or program part, thedevice software calculates, from the machine identification number, aprimary key value which is compared with a second primary key valuecalculated from the answer code. If these fit to one another, theprogram proceeds. Even just a part of the program code can be encodedwhich has to, first, be formed with a cipher key and then decoded fromthe answer code and the serial number.

The advantages of such a software solution lie in its user-friendlymaintenance, since the storage of the answer code in the system occursvery rapidly automatically via, for example, modem or manually on thekeyboard, or by transferring the code on the telephone, by fax, ororally to a service personnel who then enters it. Furthermore, it isadvantageous that, for various program functions, also various codes arepossible. No additional costs are incurred for every protected programand relatively high security is afforded.

The disadvantages of such a software solution exist in the fact that achange to another system with another identification number from thelicensee cannot be performed. Further, the system to be protectedrequired an unmistakable identification number which, however, is notalways available and thus the system is non-secure.

As the second large area of known realization of software protection,hardware solutions that are typically employed in the PC area areconsidered. A device (“dongle”) connected to a computer interfaceanswers to a query code with an answer code. Instead of simple answercodes, a coded part of the program can be decoded using this dongle orcalculations of program algorithms can be transferred into the dongle.The advantages of the hardware solutions exist in the fact that theprotection in the form of the dongle can be transferred from system tosystem which is important in an exchange of systems in the case of adefect or a generation upgrade. No identification number within thesystem is necessary.

A disadvantage of such a hardware solution exists, however, in the factthat normally only protection for one program or program part isobtainable for each dongle. Individual program parts cannot, or onlywith much effort, be newly licensed. Furthermore, this requires an owninterface and also derives its power supply from the same.

The U.S. Pat. No. 5,222,133 discloses a protective device in which, foreach attached program part, an answer code is stored in the read-onlymemory of the system to be protected, from where it can be called uponusing a correct activation code.

SUMMARY

It is the object of the invention to specify a device of the typementioned at the outset, which device offers protection against theunauthorized operation of a plurality of locked functions, withouthaving to provided parts needed exclusively therefor in the apparatus tobe protected.

It is a further object of the invention to make possible a change in thefunctions to be released which, without having to return theinstallation to be protected or the protective device to the licensor,can also be performed over long distances.

According to the invention, this is achieved in that the read-protectedprogram memory for the storing of at least one release program isprovided together with the memory for the storing of at least oneactivation code in the protective device.

In so doing, not only the identification number is contained in theprotective device according to the invention, but it also contains thememory for the release program for the individual functions of theapparatus to be protected.

In this way, a protection against the unauthorized release of programsor program parts is made possible without having to re-calculate theactivation code upon exchange of the apparatus or the installation to beprotected. Based on the instructions of the program memory in theprotective device, it is not needed in the installation to be protected.Various protection mechanisms can be chosen for the individual programsor program parts, as long as the appropriate algorithms fit into theprogram memory of the protective device according to the invention.These can then be turned on or off individually. Should the apparatus tobe protected become defective, a replacement system with the protectivedevice according to the invention can continue to operate at any time.The protective device according to the invention can already bepre-configured to the desired specifications of the user at the systemmanufacturer or the software supplier.

According to another variation of the invention, it can provided that,in the read-protected program memory, a plurality of release programsand, in the activation code memory, the activation codes correspondingto the release programs are stored, which release programs are selectedseparately from one another.

In that way, protection mechanisms for a plurality of programs orprogram parts can be chosen in various forms independently from oneanother.

According to another characteristic of the invention, the read-protectedprogram memory can provided along with a microprocessor in a protectivedevice.

In that way, all communications or re-coding and comparison processescan be processed centrally in a simple manner.

In a further elaboration of the invention, it can be provided that atleast one part of the release programs can be activated via an inputdevice separate from the apparatus to be protected and connected withthe protective device.

If, on the apparatus to be protected, there is no input system for theactivation of further release programs, then the activation codes of theprotective device according to the invention can be changed, in thisway, on this separate input system accordingly.

According to another variation of the invention, it can provided thatthe protective device can be connected via a plug to the apparatus,installation, system or the like to be protected.

In so doing, the authorization obtained through the protective devicefor the operating of the particular program also for other apparatuses,installations, for example, for an installation of a next generation canbe replaced with such a plug connection.

In a further elaboration of the invention, it can be provided that thepower supply of the protective device is provided from the parallelinterface.

In that way, the protective device can be operated without its own powersupply arrangement.

A further object of the invention can consist in specifying a method forthe release of a locked program or program part with the use of aprotective device according to the invention.

This can be achieved in a way in which, in a first step, from theapparatus, the installation, the system or the like a query of a programor a program part for a protected function is passed on to theprotective device, in which, in a second step, a release programdeposited in the program memory is found with which the query isanswerable, in which, in a third step, the corresponding activation codeis read from the memory and decoded, and the result obtained therefromcompared with the identification code of the protective device, inwhich, in a fourth step, upon agreement of the identification number andthe decoded activation code, the found release program releases thelocked program or program part in the apparatus, or, in the case thatthere is no agreement of the identification number with the decodedactivation code the program or program part remains locked in responseto the query.

In this manner, different programs or program parts can be released fromthe locking device independent of one another in the apparatus to beprotected; however, no storage of data in the apparatus to be protectedcan occur in this way, instead all of the parts subject to theprotective measures are concentrated in the protective device.

In a further elaboration of the invention, it can be provided that, inthe fourth step of no agreement of the identification number with thedecoded activation code, the program or program part that corresponds tothe query remains with a limited functionality or a time limit whileanother program is released.

In that way, a probing of activation codes by unauthorized persons isprevented, since the other released program, at first, gives theimpression that the activation code was correctly deciphered. Throughthe resulting waste of time in the search for the correct activationcode, the undesired probing of the activation code can be madeimpossible under normal circumstances.

According to another characteristic of the invention, it can providedthat, in the fourth step of no agreement of the identification numberwith the decoded activation code, a signal-release program is startedwhich triggers a signaling.

In so doing, an unauthorized or erroneously incorrect inputting of anactivation code can be notified in a suitable manner, for example, byreporting the process via a modem or depositing in an element of thememory with the date and time of day.

Finally, it can be provided that, in the third step, the correspondingactivation code is read from the activation code memory and is tiedmathematically with the identification number, by which a functionalpart of the released program, for example, a calculation constant or aprogram code is formed.

In that way, the fourth step is dropped, since the released program uponincorrect activation code automatically delivers incorrect results.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is described in detail in the following using theembodiment examples given in the diagrams.

FIG. 1 shows a schematic illustration of the organization of the programmemory and of the activation code memory of a protective deviceaccording to the invention.

FIG. 2 shows a block diagram with an embodiment of a protective deviceaccording to the invention.

DETAILED DESCRIPTION

In FIG. 2, shown is a device 5 for the protection of a telephoneextension installation 4 against the use of certain functions that canbe performed via programs or program parts. These functions have alreadybeen provided in the telephone installation during manufacturing buthave been locked in the distribution to the end user. Thus, such afunction can consist of that, for example, conversations can beconnected to random straight free extension phones. The installationsthat are offered for purchase contain all these functions, however, theyare only offered at an extra cost. If the end user desires such anadditional function, then he can obtain them by, for example, paying alicensing fee, upon which the manufacturer of the installation or anauthorized dealer can effect the release of the locked program orprogram part by saving an appropriate activation code. This shouldachieve that installations can already be fully equipped with additionalfunctions, but that it is only possible for a small group of persons toperform the release of the same. This can be realized within the scopeof the invention for all kinds of electronic apparatuses, installations,systems which work with programs parts or programs.

In so doing, the activation codes can be input via modem or also bymeans of a keyboard into the apparatus 4 to be protected and then passedon to the protective device 5 which is connected with installation 4 viaan interface 3, preferably by means of a plug not shown here. Plug-inprotective devices are commonly referred to in the jargon of theindustry as “dongles.” Via the protective device 5, certain programfunctions of the installation 4 are releasable or lockable.

The protective device 5 consists of a non-erasable memory, for example,an EEPROM, for the storing of the activation codes which activationcodes are callable and comparable with a predetermined identificationnumber, which is deposited as read-protected in the protective device 5.Further, provided is a read-protected program memory 7 for the storingof release programs, in which a certain release program is only then runwhen there is an agreement of the decoded activation code with theidentification number.

By release programs, meant are all known processes such as, for example,program-part or data decoding, external calculations, encoded programparameters, state machines and so forth, individual, combined and/orvaried.

According to the invention, thus provided is that the read-protectedprogram memory 7, along with a activation code memory, is arranged in aprotective device 5.

In that way, the apparatus 4 to be protected does not have to have itsown memory provided and, if this one is defective, a replacement systemcan continue to work with the same protective device 5 which only has tobe plugged into the same, without having to change activation codes orrelease programs.

The program memory 7 in embodiment example according to FIG. 1 isadministered by microprocessor 1 which operates the information exchangebetween the installation 4 to be protected and the protective device 5and conducts further operations for the purpose of the release orlocking of certain functions of the installation 4.

As can be seen from the schematic construction of both memory 7 andmemory 2 shown in FIG. 1, a plurality of release programs d, 1 . . . n,and, in the activation code memory 2, the activation codes e, 1 . . . ncorresponding to the release programs are stored in the read-protectedprogram memory 7, whereas the individual release programs d, 1 . . . nare callable separate from one another.

The embodiment of a protective device according to the invention asshown in FIG. 2 contains, in the protective device 5, a microprocessorwith a read-protected flash-PROM program memory 7, in which programparts a-d and identification number f are stored according to FIG. 1.The activation codes e are deposited in the EEPROM 2. The communicationwith the installation to be protected occurs via the parallel interface3; it could, however, also occur serially based on the interface builtinto processor 1. The power supply of the protective device 5 occursfrom the parallel interface.

The telephone installation 4 to be protected is provided with amaintenance modem by which several release programs can be activated orde-activated via modem. Likewise, the protective device can be deliveredfrom the plant already pre-configured. The protective device 5 accordingto the invention controls, for a plurality of release programs orprogram parts of the telephone installation 4, the corresponding releaseprograms which are of different types and can be activated or changedindependently of one another. The activation, de-activation ormodification occurs via the communications interface 3 of the protectivedevice 5 according to the invention, whereas the correspondingactivation codes that depend on their identification number are validfor only one release program in only this protective device. Therefore,a non-secure transfer of the activation code, for example, to themaintenance modem of the telephone installation 4, authorized. Thecommunication can also occur decoded to increase security.

The activation codes are best calculated using PC-programs and can beinput with an existing data path, such as a network, modem or the likeor manually via a terminal. The identification number and the number ofthe release program 1 . . . n (FIG. 1) to be activated or modified canbe worked from the protective device 5 into a code from which thecorresponding activation codes can be calculated. The activation codescan be queried from the protective device.

In FIG. 2, the inner processes in a query made by the installation 4 tobe protected are to be taken, with which a locked program part should bereleased.

1) In a first step, a query, sent from the installation 4 by means of acommunications routine a, for a program or a program part for aprotected function to the protective device 5 is performed.

2) In a second step, that of the release program d (#1 . . . #n) whichhas been deposited in the memory is found via a message evaluationroutine b, with which the query is answerable.

3) In a third step, the activation code e (#1 . . . #n) is read from thememory 2 and decoded with the aid of a write/read routine c, and theresult obtained therefrom is compared to the identification number f ofthe protective device. The identification number f is deposited in theprogram memory 7.

4) In a fourth step, upon agreement of the identification number f andthe decoded activation code e, the locked program or program part in theinstallation 4 is released using the found release program d, or theprogram or program part remains locked in response to the query if thereis no agreement of the identification number f and the decodedactivation code e.

The activation codes do not need to be encoded, since each activationcode only acts on the protective device according to the invention forwhich it has been generated; thus the activation code has to fit to thedesired protected function and to the internal identification number ofthe protective device. To prevent a successful probing of the activationnumber, the code should have at least 32 bit=9 decimal places.

To further complicate the probing, it is recommended to accept allactivation codes, to run the corresponding release programs, however,slightly falsified upon invalid activation code, so that the program tobe protected is not correctly run.

A thus-appropriate variation of the fourth step can consist of that,upon there being no agreement of the identification number with thedecoded activation code, the program or program part corresponding tothe query is released with only a limited functionality or with a timelimit.

If, upon inputting of an activation code, it were immediately noticeablefrom the answer whether or not a code is correct, all possibleactivation codes could be tested automatically and very quickly usingcorresponding programmed calculators. For such a case, very longactivation codes of 64 bit or more each should be employed.

Furthermore, it can be provided that, in the fourth step, upon therebeing no agreement of the identification number with the decodedactivation code, a signal-release routine is started which triggers asignaling. This signaling can consist of that an attempt made using anincorrect activation code is reported via an existing modem, so that acentral office is notified thereof. Further, there is the possibilitythat such an input is saved along with the date and time of day in amemory from which this information can again be retrieved later.

The activation codes can also be delivered via modem or through inputusing a keyboard to the installation to be protected and from there tothe protective device according to the invention.

A further variation of the invention can consist of that, in the thirdstep, the corresponding activation code is read from the activation codememory and mathematically tied to the identification number, throughwhich a functional part of the release program, for example, acalculation constant or a program code is formed.

Then the fourth step is dropped completely, since the release programautomatically delivers incorrect results upon input of an incorrectactivation code. This variation can, thus, even be used for there-programming of the release programs, given longer activation codes.

To record further activation codes into the protection arrangement 5,the following procedure is selected:

1) A query of the number (1 . . . n) of the release program to bereleased is sent to the protective device.

2) The evaluation routine b generates a code from the identificationnumber f and the number of the release program.

3) The code is sent via modem, fax, telephone, network connection or thelike to the licensor.

4) At the licensor, an answer code is generated by means of a program.

5) The answer code is sent back to the protective device which storesthe same as activation code.

Above items 2 and 3 can be dropped if the licensor knows the internalidentification number of the protective device.

In order to delete an activation code, one proceeds in the same way aswith the inputting. The message to the protective device contains forthe number of the activation code an incorrect code, with which norelease of the function is achievable.

What is claimed is:
 1. A protective device for the protection of anelectronic apparatus, an installation, a system or the like against useof functions that is can be performed via lockable programs or programparts, which device is can be connected via an interface with theapparatus, installation, system or the like to be protected, whereas theprotective device is assigned a predetermined identification number andthe protective device contains a preferably non-erasable memory, forexample, an EEPROM for the storing of at least one activation code,which activation code is can be compared to an identification number anda read-protected program memory for the storing of at least one releaseprogram is provided, which release program is run upon agreement of theactivation code with the identification number of the protective device,the read-protected program memory (7) for the storing of at least onerelease program is arranged along with the memory for the storing (2) ofat least one activation code in the protective device (5) modifying thestate of at least one feature in a protected device having a pluralityof features, the protective device comprising: a interface adapted tocommunicate with the protected device, a processor in communication withthe interface, a non-erasable memory in communication with the processorfor storing a plurality of activation codes, a read-protected memory incommunication with the processor for storing a plurality of releaseprograms corresponding to the activation codes, and wherein theprocessor contains instructions for: receiving a request from theprotected device to modify the state of the at least one feature, therequest including an identification number of the protected device,identifying a release program from within the plurality of releaseprograms corresponding to the at least one feature, identifying anactivation code from within the plurality of activation codescorresponding to the at least one feature, and comparing the activationcode to the identification number to determine if there is an agreementbetween the activation code and the identification number, if there isan agreement, then executing the identified release program to modifythe state of the at least one feature.
 2. The protected device of claim1 wherein the instructions further comprise decoding the activationcode.
 3. The protected device of claim 2 wherein the comparing furthercomprises: comparing the decoded activation code to the identificationnumber to determining if there is an agreement between the decodedactivation code and the identification number, if there is agreement,then executing the identified release program to modify the state of theat least one feature.
 4. The protective device of claim 1 wherein theinterface is a parallel interface which is adapted to supply power tothe protective device from the protected device.
 5. The protectivedevice of claim 1 wherein the instructions further comprise executingthe identified release program to permit limited functionality of the atleast one feature in an event of no agreement between the between theactivation code and the identification number.
 6. The protective deviceof claim 1 wherein the instructions further comprise executing theidentified release program to modify the state of the at least onefeature for a predetermined period of time in an event of no agreementbetween the between the activation code and the identification number.7. The protective device of claim 1 wherein the instructions furthercomprise executing a signaling routine which instructs the protecteddevice to send a signal to a predetermined address, the signalindicating an attempt to modify the state of at least one feature. 8.The protective device of claim 7, wherein the signaling routine isexecuted only in an event of no agreement between the activation codeand the identification number.
 9. The protective device of claim 1wherein the agreement is a mapping of the activation code to a functionof the identification number.
 10. A system to activate or deactivatemodifiable features, the system comprising: a protected device having aplurality of modifiable features and an identification means, aprotective device for modifying the modifiable features of the protecteddevice, wherein the protective device is adapted to be in selective incommunication with the protected device and the protective devicecomprises: a processor, a first memory in communication with theprocessor for storing a plurality of activation codes, a second memoryin communication with the processor for storing a plurality of releaseprograms corresponding to the activation codes, and wherein theprocessor contains instructions for: receiving a request from theprotected device for a modification of a modifiable feature, the requestincluding the identification means, locating a release program fromwithin the plurality of release programs corresponding to the modifiablefeature, locating an activation code from within the plurality ofactivation codes corresponding to the modifiable feature, and comparingthe activation code to the identification number to determining if thereis an agreement between the activation code and the identificationnumber, if there is agreement, then executing the located releaseprogram to modify the modifiable feature.
 11. The system of claim 10further comprising a parallel interface which is adapted to supply powerfrom the protected device to the protective device.
 12. The system ofclaim 10 wherein the instructions further comprise executing the locatedrelease program to modify the modifiable feature with limitedfunctionality in the event of no agreement between the between theactivation code and the identification number.
 13. The system of claim10 wherein the instructions further comprise executing the locatedrelease program to modify the modifiable feature for a predeterminedperiod of time in the event of no agreement between the between theactivation code and the identification number.
 14. The system of claim10 wherein the instructions further comprise executing a signalingroutine which instructs the protected device to send a signal to apredetermined location, the signal indicating an attempt to modifyingthe modifiable feature.
 15. The system of claim 14, wherein thesignaling routine is executed only in an event of no agreement betweenthe activation code and the identification number.
 16. The system ofclaim 10 wherein agreement is a mapping of the decoded activation codeto a function of the identification number.
 17. A method for activatingor deactivating modifiable features in a protected device coupled to aprotective device, the method comprising: receiving a request from theprotected device for a modification of a modifiable feature, the requestincluding an identifier for the protected device, locating a releaseprogram from within a plurality of release programs, wherein the releaseprogram corresponds to the modifiable feature, locating an activationcode from within the plurality of activation codes wherein theactivation code corresponds to the modifiable feature, and comparing theactivation code to the identifier to determining if there is anagreement between the activation code and the identifier, if there is anagreement, then executing the located release program to modify themodifiable feature.
 18. The method of claim 17 further comprisingexecuting the located release program to modify the modifiable featurewith limited functionality in an event of no agreement between thebetween the activation code and the identifier.
 19. The method of claim17 further comprising executing the located release program to modifythe modifiable feature for a predetermined period of time in an event ofno agreement between the activation code and the identifier.
 20. Themethod of claim 17 further comprising executing a signaling routinewhich instructs the protected device to send a signal to a predeterminedaddress, the signal indicating an attempt to modify the modifiablefeature.
 21. The method of claim 20, wherein the signaling routine isexecuted only in the event of no agreement between the activation codeand the identifier.
 22. The system of claim 17 wherein the agreement isa mapping of the decoded activation code and to a function of theidentifier.